Re: Window code signing certificate source recommendations

2023-10-11 Thread Paul Dupuis via use-livecode 

On 10/10/2023 9:56 AM, matthias rebbe via use-livecode wrote:

Paul,

just googled a little bit...

If you have a safenet USB Token, than there seems to be a way to disable the 
password pop up.

https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens




Thank you for this!

We have to get back to doing some development now that we have a new 
Windows Cert and our mac Cert is working with Apple's Nov 1 new 
notarization process, but I'll give this a try when I have a chance.


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Window code signing certificate source recommendations

2023-10-11 Thread Stephen Barncard via use-livecode 
Programming is just not fun any more.
Being creative is now just completely overwhelmed by ... whatever this
is... just to get the thing on the air so people won't hack or steal.
*Security* is a job we need AI to handle, not to replace our own creativity
in the app itself.
sqb
--
Stephen Barncard - Sebastopol Ca. USA -
mixstream.org


On Tue, Oct 10, 2023 at 6:57 AM matthias rebbe via use-livecode <
use-livecode@lists.runrev.com> wrote:

> Paul,
>
> just googled a little bit...
>
> If you have a safenet USB Token, than there seems to be a way to disable
> the password pop up.
>
> https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens
>
> > Am 10.10.2023 um 15:05 schrieb Paul Dupuis via use-livecode <
> use-livecode@lists.runrev.com>:
> >
> > On 10/10/2023 8:53 AM, matthias rebbe via use-livecode wrote:
> >> Hello Paul,
> >>
> >> unfortunately this is the "new" standard. Since 1st June 2023 private
> keys has to be stored on a Token.
> >>
> https://www.sslpoint.com/new-private-key-storage-requirement-for-standard-code-signing-certificates/
> >>
> >> There is no way anymore to export a certificate for example to .pfx.
> >> And much more of a pain, it is not possible anymore to code sign
> Windows app under macOS or at least i was not able to so so far.
> >>
> >> I have a "cloud" certificate from Certum which i purchased from SSL
> Point (https://www.sslpoint.com )
> >>
> >> With this type of certificate the private key is not stored on a USB
> token. This "cloud" certifcate  works similar to a usb token. I also have
> to install some software. This software allow me to login to the "cloud"
> and after successful login i can use that certificate
> >> with Microsoft's signtool and JARsigner.
> >>
> https://www.files.certum.eu/documents/manual_en/Code-Signing-signing-the-code-using-tools-like-Singtool-and-Jarsigner_v2.3.pdf
> >>
> >> So to automate your signing, you just have to keep a Windows PC running
> and make sure that you are logged in to the "Cloud". As long as the
> software is logged in you have access to the certificate.
> >> I don't know if this is also the case with the USB Token. Could not
> test it, because i do not have a usb token. ;)
> >>
> >>
> >> Regards,
> >> Matthias
> >
> > First, thank you for the very informative reply (with links!)
> >
> > Second, this "new" standard STINKS!
> >
> > The cloud cert sound interesting, but we recently renewed out macOS cert
> and now we've just renewed our Windows cert, so, short of trying to get
> money back from Comodo and switching to the "cloud", I guess I am stuck
> with the "new" crappy standard.
> >
> > I do not see how large software companies that automate build, signing,
> and even QA testing can accept this change. But they must of the suppliers
> of certs would not go this route for loss of income.
> >
> >
> > ___
> > use-livecode mailing list
> > use-livecode@lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
>
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Window code signing certificate source recommendations

2023-10-10 Thread matthias rebbe via use-livecode 
Paul,

just googled a little bit...

If you have a safenet USB Token, than there seems to be a way to disable the 
password pop up.

https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens

> Am 10.10.2023 um 15:05 schrieb Paul Dupuis via use-livecode 
> :
> 
> On 10/10/2023 8:53 AM, matthias rebbe via use-livecode wrote:
>> Hello Paul,
>> 
>> unfortunately this is the "new" standard. Since 1st June 2023 private keys 
>> has to be stored on a Token.
>> https://www.sslpoint.com/new-private-key-storage-requirement-for-standard-code-signing-certificates/
>> 
>> There is no way anymore to export a certificate for example to .pfx.
>> And much more of a pain, it is not possible anymore to code sign Windows app 
>> under macOS or at least i was not able to so so far.
>> 
>> I have a "cloud" certificate from Certum which i purchased from SSL Point 
>> (https://www.sslpoint.com )
>> 
>> With this type of certificate the private key is not stored on a USB token. 
>> This "cloud" certifcate  works similar to a usb token. I also have to 
>> install some software. This software allow me to login to the "cloud" and 
>> after successful login i can use that certificate
>> with Microsoft's signtool and JARsigner.
>> https://www.files.certum.eu/documents/manual_en/Code-Signing-signing-the-code-using-tools-like-Singtool-and-Jarsigner_v2.3.pdf
>> 
>> So to automate your signing, you just have to keep a Windows PC running and 
>> make sure that you are logged in to the "Cloud". As long as the software is 
>> logged in you have access to the certificate.
>> I don't know if this is also the case with the USB Token. Could not test it, 
>> because i do not have a usb token. ;)
>> 
>> 
>> Regards,
>> Matthias
> 
> First, thank you for the very informative reply (with links!)
> 
> Second, this "new" standard STINKS!
> 
> The cloud cert sound interesting, but we recently renewed out macOS cert and 
> now we've just renewed our Windows cert, so, short of trying to get money 
> back from Comodo and switching to the "cloud", I guess I am stuck with the 
> "new" crappy standard.
> 
> I do not see how large software companies that automate build, signing, and 
> even QA testing can accept this change. But they must of the suppliers of 
> certs would not go this route for loss of income.
> 
> 
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Window code signing certificate source recommendations

2023-10-10 Thread Paul Dupuis via use-livecode 

On 10/10/2023 8:53 AM, matthias rebbe via use-livecode wrote:

Hello Paul,

unfortunately this is the "new" standard. Since 1st June 2023 private keys has 
to be stored on a Token.
https://www.sslpoint.com/new-private-key-storage-requirement-for-standard-code-signing-certificates/

There is no way anymore to export a certificate for example to .pfx.
And much more of a pain, it is not possible anymore to code sign Windows app 
under macOS or at least i was not able to so so far.

I have a "cloud" certificate from Certum which i purchased from SSL Point 
(https://www.sslpoint.com )

With this type of certificate the private key is not stored on a USB token. This "cloud" 
certifcate  works similar to a usb token. I also have to install some software. This software allow 
me to login to the "cloud" and after successful login i can use that certificate
with Microsoft's signtool and JARsigner.
https://www.files.certum.eu/documents/manual_en/Code-Signing-signing-the-code-using-tools-like-Singtool-and-Jarsigner_v2.3.pdf

So to automate your signing, you just have to keep a Windows PC running and make sure 
that you are logged in to the "Cloud". As long as the software is logged in you 
have access to the certificate.
I don't know if this is also the case with the USB Token. Could not test it, 
because i do not have a usb token. ;)


Regards,
Matthias


First, thank you for the very informative reply (with links!)

Second, this "new" standard STINKS!

The cloud cert sound interesting, but we recently renewed out macOS cert 
and now we've just renewed our Windows cert, so, short of trying to get 
money back from Comodo and switching to the "cloud", I guess I am stuck 
with the "new" crappy standard.


I do not see how large software companies that automate build, signing, 
and even QA testing can accept this change. But they must of the 
suppliers of certs would not go this route for loss of income.



___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Window code signing certificate source recommendations

2023-10-10 Thread Paul Dupuis via use-livecode 

On 10/10/2023 8:38 AM, Brian Milby via use-livecode wrote:

While not directly applicable, you may be able script it similar to using a CAC.

DOD uses Smart Cards for authentication and you can have command line tools use 
the card for authentication (runas /smartcard program).  What happens is that 
you get a pop up from the system to choose cert and enter PIN.  A similar 
process may be possible.

Brian Milby
br...@milby7.com



Thanks Brian,

The USB token from Comodo/Sertigo is effectively the same process. You 
still use signtool in a command line to sign, but then the Safenet 
Authentication Client pops up a dialog to have you manually enter the 
USB token password/PIN to grant access to the cert.


This is a change from the previous process that required no manual 
intervention. However, perhaps it is an industry wide change and 
something I will just have to live with.Sigh.



___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Window code signing certificate source recommendations

2023-10-10 Thread matthias rebbe via use-livecode 
Hello Paul,

unfortunately this is the "new" standard. Since 1st June 2023 private keys has 
to be stored on a Token.
https://www.sslpoint.com/new-private-key-storage-requirement-for-standard-code-signing-certificates/

There is no way anymore to export a certificate for example to .pfx.
And much more of a pain, it is not possible anymore to code sign Windows app 
under macOS or at least i was not able to so so far.

I have a "cloud" certificate from Certum which i purchased from SSL Point 
(https://www.sslpoint.com )

With this type of certificate the private key is not stored on a USB token. 
This "cloud" certifcate  works similar to a usb token. I also have to install 
some software. This software allow me to login to the "cloud" and after 
successful login i can use that certificate
with Microsoft's signtool and JARsigner.
https://www.files.certum.eu/documents/manual_en/Code-Signing-signing-the-code-using-tools-like-Singtool-and-Jarsigner_v2.3.pdf

So to automate your signing, you just have to keep a Windows PC running and 
make sure that you are logged in to the "Cloud". As long as the software is 
logged in you have access to the certificate.
I don't know if this is also the case with the USB Token. Could not test it, 
because i do not have a usb token. ;)


Regards,
Matthias




> Am 10.10.2023 um 12:39 schrieb Paul Dupuis via use-livecode 
> :
> 
> To any with a recommendation:
> 
> I have been getting my Windows Code Signing Certificates from Comodo. I have 
> been able to get certs in file formats like .pfx or .p12 that allows me to 
> code sign using a single command line with the password as part of the 
> command. This lets me script code signing as part of the "on standaloneSaved" 
> message using the "shell()" function, so the code signing is part of saving 
> the Standalone.
> 
> My current Windows cert expires in November, so I click the renew link and 
> renewed. The new Cert came on a "USB token" - a small USB memory stick that 
> is specially encoded. To sign, I HAVE to use  a desktop GUI app called 
> SafeNet Authentication Client Tools. After a bunch of back and forth with 
> Sertgo - Comodo's fullfillment branch - I got the following message:
> 
> -
> 
> We apologize for the delayed response and any inconvenience it may have 
> caused. We understand that you need a Code Signing certificate in PFX format 
> to automate the signing process. As per the CA/B forum's new regulation, the 
> private key should be generated, stored, and used on a suitable 
> FIPS-compliant hardware token. This change from the CA/B Forum aims to 
> improve security and help reduce the risk of compromise.
> 
> The Code Signing token is a hardware device with a certificate/key inbuilt 
> and they cannot create/export PFX files. Since the private key is stored on 
> the hardware token, for security it cannot be copied or exported. The concept 
> of the token-based code signing certificate is to plug the USB into the 
> system where you want to sign the software. We appreciate your understanding 
> in this matter.
> 
> -
> 
> So, apparently Comodo/Sertgo does NOT issue ANY cert that can be used in a 
> sign command line PER the CA/B Forums (whatever they are).
> 
> 
> Does anyone know if this is an industry wide change? Or can anyone recommend 
> a Window Code Signing Certificate provider that can provide a cert in a 
> format that support a command line signing, such as:
> 
> "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" 
> sign /fd certHash /debug /f "C:\Users\Paul\Desktop\Code 
> Signing\RWCodeSigningCert4.pfx" /t http://timestamp.comodoca.com/authenticode 
> /v /p  ""
> 
> 
> I really do not want to return to have to manually signing standalones!
> 
> 
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Window code signing certificate source recommendations

2023-10-10 Thread Brian Milby via use-livecode 
While not directly applicable, you may be able script it similar to using a CAC.

DOD uses Smart Cards for authentication and you can have command line tools use 
the card for authentication (runas /smartcard program).  What happens is that 
you get a pop up from the system to choose cert and enter PIN.  A similar 
process may be possible.

Brian Milby
br...@milby7.com

> On Oct 10, 2023, at 6:40 AM, Paul Dupuis via use-livecode 
>  wrote:
> 
> To any with a recommendation:
> 
> I have been getting my Windows Code Signing Certificates from Comodo. I have 
> been able to get certs in file formats like .pfx or .p12 that allows me to 
> code sign using a single command line with the password as part of the 
> command. This lets me script code signing as part of the "on standaloneSaved" 
> message using the "shell()" function, so the code signing is part of saving 
> the Standalone.
> 
> My current Windows cert expires in November, so I click the renew link and 
> renewed. The new Cert came on a "USB token" - a small USB memory stick that 
> is specially encoded. To sign, I HAVE to use  a desktop GUI app called 
> SafeNet Authentication Client Tools. After a bunch of back and forth with 
> Sertgo - Comodo's fullfillment branch - I got the following message:
> 
> -
> 
> We apologize for the delayed response and any inconvenience it may have 
> caused. We understand that you need a Code Signing certificate in PFX format 
> to automate the signing process. As per the CA/B forum's new regulation, the 
> private key should be generated, stored, and used on a suitable 
> FIPS-compliant hardware token. This change from the CA/B Forum aims to 
> improve security and help reduce the risk of compromise.
> 
> The Code Signing token is a hardware device with a certificate/key inbuilt 
> and they cannot create/export PFX files. Since the private key is stored on 
> the hardware token, for security it cannot be copied or exported. The concept 
> of the token-based code signing certificate is to plug the USB into the 
> system where you want to sign the software. We appreciate your understanding 
> in this matter.
> 
> -
> 
> So, apparently Comodo/Sertgo does NOT issue ANY cert that can be used in a 
> sign command line PER the CA/B Forums (whatever they are).
> 
> 
> Does anyone know if this is an industry wide change? Or can anyone recommend 
> a Window Code Signing Certificate provider that can provide a cert in a 
> format that support a command line signing, such as:
> 
> "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" 
> sign /fd certHash /debug /f "C:\Users\Paul\Desktop\Code 
> Signing\RWCodeSigningCert4.pfx" /t http://timestamp.comodoca.com/authenticode 
> /v /p  ""
> 
> 
> I really do not want to return to have to manually signing standalones!
> 
> 
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode